Half of those show as IIS 5.0/Windows 2000. There is no way that a Windows 2000 box has stayed online for 1700 days (over 5 years!!!) without being pwned and crashed. For large sites that do load balancing and such, Netcraft is a better indicator of SITE uptime instead of uptime for a single particular box.
FTA: "... the city found that the system serving as the distribution point
Ok, if I have a single workstation with "AntiVirus 2009", I will probably nuke it without a second thought. If one of my servers has been commandeered to serve as the command and control channel for a worm that just ate 800 of my PCs, I SURE AS HELL AM GOING TO GET A dd OR OTHER FORENSICALLY SOUND IMAGE OF THE MACHINE BEFORE I WIPE IT!!!!!!!!! For crying out loud, they contacted the FBI, but they just destroyed what could have been the single most important piece of evidence! Do they have a Best Buy in Norfolk? For $100 they could have brought the machine up on a clean hard disk and set the existing one aside for forensic examination without wasting the time of taking an image of the drive.
Also, they have no idea how the attack occurred, but they are sure it didn't come from the internet. Any evidence to back that up? It's one thing to say it probably didn't come from the internet because our logs show no traffic to support that possibility. It's ridiculous to make that same statement based on a gut feel.
If this article is accurate, these guys are playing amateur hour IT security. Their first action should have been to contact a qualified incident handler.
Dammit. Those music-stealers ruin everything.
From TFA: It’s surprising that Microsoft hasn’t made more noise about the use of Microsoft Office in space
Microsoft probably isn't making more noise about this because it is a TERRIBLE system.
Can anyone find an actual translation of the amendment or a better summary? TFA sounds like it was written in a combination of management-ese and marketing-speak.
FTA: "...the image is of the computer geek surrounded by such things as computer games, science-fiction memorabilia and junk food...", followed by "...many women don't like the portrait of masculinity that it evokes..."
YES! GEEKS ARE MASCULINE!!!
They are effectively shifting the work of verification to the recipient of the letter. If you are guilty, they found their mark. If you haven't done what they accuse you of, and you will probably be indignant enough to go through some effort to correct their "error". Sending out the letters without verification requires almost no work from them, has no risk, and sometimes gets them money. Verification would only add more work with no payback in reduction of risk or increase in monetary return.
I am surprised more people don't see this as a shakedown racket. Also, since the RIAA gets money in return for the cost of a trained monkey running mailmerge in Microsoft Word, I don't see why they haven't purchased an electronic copy of the phone book so they can simply send out letters to everyone in the country.
"Guideline" is incompatible with "require".
...you can quote the $250,000 fines the BSA can assess PER VIOLATION...
The BSA cannot assess anything. They have no legal authority to do so. What they can do is ask you to pay money in a settlement rather than engaging in a very long and expensive legal battle against them. If the case has very clear-cut evidence, paying $250,000 may well be cheaper, quicker and simpler than a court battle, even for a very small company.
But competing is HARD.
Getting legislation passed that legally mandates everyone do as you wish is EASY. And probably entails less cost and risk.
In many cases, the webserver IS the app server.
This sort of feature could be very useful for those smaller shops and cheap shops who haven't yet created a dedicated Web tier, or for all those internal webservers which host the Wiki, etc.
If they are smaller/cheaper shops, they probably aren't playing around with heavy virtualization to begin with. If you are virtualizing your example box, you're doing it wrong.
But what if half the webservers drop off because the circuit which powers that side of the cage went down? And the 'redundant' power supplies on your machines weren't really 'redundant' (Thanks Dell)?
Get a better UPS setup. If you have entire racks of systems that fill a cage, and your servers all shut down because their power died, you're doing it wrong. Rather than plugging all of the servers into individual UPS systems, get a UPS that covers all the circuits for the cage. And a generator.
More than anything else, executives don't want to be surprised. Giving them the weekly page response numbers is fine, but what they really need is forward-looking analysis based on those numbers and your experience. Something like "looking at the current load capabilities of our web servers, we will probably need to spend some capital on additional web servers if we add more than 500 additional reporting sites. Looking at our current growth rate of adding 50 sites per month, it looks like that money will need to be spent in less than 10 months to support continued growth." What they REALLY hate is when you run into their office at 12:30 on Friday afternoon yelling "Our systems hit the wall with that last new customer. I need $25k NOW!" Also, you've covered your butt by notifying them about serious issues that could affect the business with enough time to plan.
They may not actually spend the money that you have recommended, but if you have a trail to document your recommendations, you may be able to avoid getting blamed when the web servers can't handle the load when that big new customer gets signed.
I follow a number of security-focused mailing lists, and about once every two or three months someone posts something like this: "Help! The plant mangers at $CRITICAL_INFRASTRUCTURE_SITE where I work want to have all the formerly air-gapped SCADA systems accessible via a web browser from any internet-connected PC so they can check the plant status from home, on vacation, while at conferences etc. I haven't been able to talk them out of it, can anyone help with a better argument?"
What reasoning do your propose to people who's response to the argument of "if we are hacked, the loss of life and bankruptcy of our company will come back to you" is met with "you IT guys are too paraniod"?
Until people start going to jail, profit and convenience will trump everything else.
No, I don't, I believe that falls under acceptable use. I don't neccessarily agree with the "Don't hack your Tivo" attitude either. I'm just trying to bring some clarification as to why the "don't steal from Tivo" folks try to also clamp down on the "repurpose my Tivo" folks.
Testing can show the presense of bugs, but not their absence. -- Dijkstra
